Icons

Vosaic Privacy Statement

Effective Date: 10/21/2025

1. About This Privacy Policy

Nelnet Business Solutions, Inc. and its subsidiaries (“NBS”, “we”, “our”, and “us”) respect your concerns about privacy. NBS operates various brands that are covered by this Privacy Policy, such as FACTS, Nelnet Campus Commerce, Nelnet Payment Services, Booknet, Xetta, My Catholic Faith Delivered, NextGen, and Propelr This Privacy Policy describes the types of personal information we obtain via our websites and online services that link to this Privacy Policy (collectively the “Services”), how we use the information, with whom we share it, and the choices available regarding our use of the information. This Privacy Policy also describes the measures we take to safeguard personal information and how you can contact us about our privacy practices.

Other divisions, affiliates, and subsidiaries of Nelnet, Inc. list their privacy practices on their respective websites. Also, this Privacy Policy applies when we are the “controller” of the information we collect, not the “processor”. For more information about what we mean by “controller” and “processor”, please see our Notice to Our Organization Customer End Users section.

This Privacy Policy also includes information specific to certain categories of users (for example, residents of California)

Please read this Privacy Policy carefully to understand our policies and practices regarding the information we collected and how we use it.

2. Notice to Our Organization Customer End Users

Some data protection laws in various jurisdictions distinguish between “controllers” and “processors” of personal information. While other jurisdictions may use different terminology, the concept typically remains the same. A controller decides why and how to process personal information. A processor—also sometimes called a “service provider”—only processes personal information on behalf of a controller based on the controller’s instructions; the processor does not make decisions about personal information.

We are a processor when we process your personal information on behalf of our organization customers for whom you have a relationship with. However, there are circumstances when we act as a controller, such as, when you:

Under various global privacy laws, it is the controller who is responsible for responding to your privacy inquiries, including any requests to exercise your data protection rights. You may choose to submit such privacy inquiries and requests directly to us, however, if we are the processor with respect to your inquiry or request, we will transfer validated requests and inquiries to the applicable controller, as we cannot respond to such requests or inquiries unless instructed to do so by the controller. We encourage you to direct your inquiries and requests to our organization customers for whom you have a relationship with to ensure your privacy inquiries and requests are processed promptly. Also, we are not responsible for the privacy or security practices of our organization customers, which may differ from those set forth in this Privacy Policy.

If you have questions, please see the “How to Contact Us” section below for further information.

3. Information We Obtain

The types of personal information we may collect include:

  • Contact information, such as name, email and postal address, and phone number;
  • User credentials, such as username and password;
  • Account information and preferences, such as email preferences and paperless registration;
  • Payment data, such as bank account number and routing number, payment card information, including card number and expiration date;
  • Identifiers, such as Social Security number or other government-issued identifier;
  • Demographic information, such as date of birth; and other characteristics such as gender or marital status;
  • Device data and online activity information, as described in the Automated Information Collection section below.
  • Documents and uploaded content, including any materials you submit to us, such as letters, forms, notices, or supporting documents related to your account;
  • Employment and education information, including résumé or job application details, education history, and related background information if you apply for a position with us or interact with our services in a professional capacity.
  • Sensory and communication data, such as audio recordings (e.g., customer service calls), chat transcripts, emails, or other content you provide through our services.
  • Information provided by third-parties, such as personal information about you from third party data providers or publicly available sources for anti-money laundering, background check or similar screening purposes, to protect our business and to comply with legal and regulatory obligations

Information You Provide Directly to Us

Personal information that you provide directly to us will be apparent from the context in which you provide it. For example:

  • Filling out forms: If you fill out a form on our sites, you may provide your name, contact details (postal address, email address and telephone number) and other information requested by the form, such as the reason for your inquiry.
  • Signing up for communication: If you sign up to receive electronic marketing communications from us, you may be asked to provide your name, email address and other contact information.
  • Logging into accounts: When you log into an account, while we obtain your login credentials, your information may be otherwise collected by the third-party that operates the account portal and may be subject to that third party’s own privacy policies, if made available. Once you log in, additional information about you will be included in the portal, such as your name, work email address, phone number, time zone, and postal address, if applicable.
  • Signing up for service features: If you sign up to a feature in connection with one of our Services, you may be asked to provide your name and contact information and other information necessary to access the feature.

Each form in connection with our Services varies in the information required and collected. In most cases, an asterisk (*) indicates the required information on a form. You may choose to provide additional information within fields that are not required.

In addition, you may choose to submit personal information to us if you attend an event that we or one of our affiliates or partners has organized or if you otherwise communicate with us on social media or by sending us an email.

While the personal information you choose to provide is voluntary, providing certain personal information may be necessary to offer you the relevant product or service. If you choose not to provide certain information, this may affect our ability to provide you with certain products or services.

Automated Information Collection

In addition, when you interact with the Services, or open or view our emails, we may obtain certain information using various automated technologies, such as cookies, web server logs, web beacons, and other technologies (collectively, “Cookies”). The types of Cookies used on our Services may include:

  • Browser Cookies: these are a small text file unique to your device. They can either be session-based (in other words, lasting while your browser is open) or persistent (in other words, lasting until you delete them or they expire).
  • Local Stored Objects: these are stored on your device or browser to provide the Services.
  • Web Beacons: also known as an Internet tag, pixel tag or clear GIF, these are small pieces of code placed on a website or within the body of an email for the purpose of tracking activity on websites, or when emails are opened or accessed, and are often used in combination with cookies.
  • Software Development Kits: these are bits of computer code used by app developers to enable or enhance various features of an app. For example, an app developer may include an SDK within an app that enables advertisements to be shown, data to be collected, and related services or analytics to be performed in connection with the app.
  • Session Replay Software. These are third-party services that can record users’ interactions such as users’ clicks, cursor movements and page scrolls.

We use these technologies to collect information about your equipment, browsing actions, and usage patterns. The information we obtain in this manner may include your IP address, identifiers associated with your devices, web browser characteristics, device characteristics, language preferences, referring/exit pages, clickstream data and dates and times of visits to the Services. These technologies help us:

  • Remember your information so you will not have to re-enter it;
  • Understand how you use and interact with the Services and with our electronic communications with you such as our emails;
  • Tailor the Services around your preferences;
  • Measure the usability of the Services and the effectiveness of our communications; and
  • Otherwise manage and enhance the Services and our other services, and help ensure they are working properly.

Your browser may tell you how to be notified when you receive certain types of cookies or how to restrict or disable certain types of cookies. Please note, however, that certain features of the Services may not work without use of cookies.

Depending on where you are located and the type of Services you are engaging with, we use a consent management platform for you to manage your preferences for web-based Cookies.

Once you log in or create an account with us, you may be asked to acknowledge this Privacy Policy including our use of cookies and similar technologies. From that point on, your preferences are based on that acknowledgment, and the consent management tool is no longer used.

Other Online Services and Third-Party Features

For your convenience and information, the Services may contain links to, or integrations with, other websites, platforms, or services that include third-party features such as apps, tools, widgets and plug-ins. These online services and third-party features operate independently from us. The privacy practices of the relevant third parties, including details on the information they may collect about you, are subject to the privacy policies of these parties, which we strongly suggest that you review. To the extent any linked online services or third-party features are not owned or controlled by us we are not responsible for these third parties’ information practices.

If you are a Vosaic customer, we may enable users to import files directly from certain third-party features, such as OneDrive, Google, Zoom, or a personal hard drive, your instance of the Vosaic Service. We provide this functionality via Vosaic to enhance user experiences with seamless file integration. In such cases, Vosaic does not use any customer data (including videos) accessed or obtained through these third-party features to improve the Vosaic services, including to train, develop, or improve any artificial intelligence (AI) or machine learning (ML) models. All information Vosaic receives via these third-party features is processed solely to provide the Vosaic Services as outlined in this Privacy Policy.

4.How We Use Information

Legitimate Business Purposes

We may use the information we gather for the following legitimate business purposes:

  • Provide and manage our services, including establishing and servicing accounts, processing transactions, and managing our business relationships.
  • Authenticate identity and authorize access to our platforms and services.
  • Communicate with you, including responding to inquiries, providing support, sending service-related messages, and offering promotions or other marketing communications.
  • Personalize your experience, such as tailoring content, offers, and interactions to your preferences, and measuring the effectiveness of our marketing efforts.
  • Operate and improve our business and services, including developing new products, analyzing usage trends, evaluating the performance of communications and campaigns, and conducting accounting, auditing, and other internal operations.
  • Perform data analytics and research, including market and financial analysis, customer insights, and the deidentification, anonymization or aggregation of personal information.
  • Enhance security and prevent misuse, such as protecting our services, users, and systems from fraud, abuse, unauthorized access, and other harmful activity.
  • Diagnose and address technical issues, support information technology (IT) operations, and ensure system reliability and continuity.
  • Maintain business records and conduct internal administrative functions.
  • Comply with legal and regulatory obligations, enforce our policies and terms, and respond to law enforcement or regulatory inquiries.

For these processing activities, we may use techniques such as artificial intelligence and machine learning to process and analyze data.

When we deidentify, aggregate, or anonymize data for purposes such as analytics, research, product development, and to improve our services, we endeavor to maintain and use the data in a deidentified, anonymized, or aggregated form such that it cannot reasonably be used to reidentify individuals, except as permitted by applicable law.

Third-Party Analytics

We may use third-party analytics services in connection with our Services, such as:

  • Google Analytics
  • Pendo
  • Hubspot
  • Apollo
  • Clay

We also may use third-party session replay and screen capture services that record users’ interactions with our site, such as:

  • HotJar
  • Microsoft Clarity

The service providers that administer these services use automated technologies such as Cookies to help us analyze your use of the Services. For more information, see our “Automated Information Collection” section above. The information we obtain through our Services may be disclosed to or collected directly by these service providers. To learn more about these service providers, please consult their respective privacy policies. For example, we use Google Analytics for this purpose. You can learn more about Google Analytics and how to prevent the use of Google Analytics relating to your use of our sites here: https://tools.google.com/dlpage/gaoptout?hl=en.

Marketing and Advertising

In connection with our Services, we may obtain information about your online activities to provide you with advertising about services tailored to your interests. You may also see our ads on other websites because we use third-party advertising services as described below. Through such advertising services, we can target our messaging to users considering demographic data, users’ inferred interests and browsing context. These services track your online activities over time and across multiple websites by collecting information through automated means, including with cookies, web server logs, web beacons and other similar technologies. The advertising services use this information to show you ads that may be tailored to your individual interests. The information that advertising services may collect includes data about your visits to websites that serve our advertisements, such as the pages or ads you view and the actions you take on the websites. This data collection takes place both in connection with our Services and on third-party websites that participate in these advertising services. This process also helps us track the effectiveness of our marketing efforts. For more information about your choices regarding these marketing and advertising services, see our Your Rights and Choices section below.

The Services otherwise are not designed to respond to “do not track” signals received from browsers.

Third-Party CAPTCHA Services

We may use third-party CAPTCHA services in connection with the Services, such as Google reCAPTCHA. The information we obtain through the CAPTCHA services may be disclosed to or collected directly by these services. To learn more about Google reCAPTCHA, please visit Google’s Privacy Policy and Terms of Use.

5. How We Disclose Information

We may disclose the information we obtain about you with affiliates and subsidiaries. We also disclose personal information with affiliated and non-affiliated third-party vendors to perform certain services on our behalf, such as website hosting, data analytics, payment processing, sending communications (e.g., via email), and other services.

In addition, sometimes the law or other circumstances require that we may disclose information about you. Some examples include the following:

  • If we are required to do so by law or legal process (such as a court order or subpoena);
  • In response to requests by government agencies, such as law enforcement authorities;
  • To establish, exercise or defend our legal rights;
  • To protect, defend or enforce our policies, terms or agreements;
  • When we believe disclosure is necessary or appropriate to address security or to prevent physical or other harm or financial loss;
  • In connection with an investigation of suspected or actual illegal activity; or
  • Otherwise with your consent.

We also reserve the right to transfer information we have about you in the event we sell or transfer all or a portion of our business or assets (such as in the event of a merger, acquisition, joint venture, consolidation, restructuring, divestiture, dissolution liquidation or other corporate change), including during any due diligence process.

Mobile information will not be shared with any third parties for their own purposes, except as permitted or required by law in response to valid requests by public authorities (e.g. a court or a government agency). “Mobile information”, for purposes of this disclosure, means text messaging originator opt-in data and consent.

6. Your Rights and Choices

You may have certain rights and choices regarding how we collect, use, disclose and otherwise process your personal information.

Communications Choices

You can tell us at any time not to send you marketing communications by email by clicking on the unsubscribe link in the marketing emails you receive from us or by sending an “opt out” request to the address indicated on the email.

Advertising and Marketing

Depending on where you reside, you may have the right to opt out of the sale of your personal information or sharing or processing of your personal data for targeted advertising. You can exercise your opt-out rights by navigating to the “Your Privacy Choices” link in connection with the relevant Services. For more information, visit our Automated Information Collection section.

Depending on where you reside, you may also use the Global Privacy Control (“GPC”) through a supported browser to signal certain of opt-out preferences across our relevant Services. Please see the “Additional Jurisdiction-Specific Information” section below for more details.

You can limit use of your information for interest-based advertising by:

Access, Correction, Deletion and Other Rights. Depending on where you reside, you may have the right to request access to, or correction or deletion of, your personal information. For more information, see the Additional Jurisdiction-Specific Information section.

Other Choices. You can edit or remove certain information in your user account with our relevant Services.

7. How We Protect Personal Information

We maintain administrative, technical safeguards designed to protect the personal information we obtain against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.

8. Children’s Privacy

We recognize the importance of protecting children’s online privacy. Our Services are not directed to children under the age of 13. However, we are aware that our FACTS Student Information System (“SIS”) platform may be used by our FACTS school clients to allow their students, including children under the age of 13 (“children” or “students”), to access the SIS for educational purposes as authorized by their schools.

In such cases, we presume that our school clients act as agents on behalf of parents and that a school’s authorization for the collection of students’ personal information is based upon the school obtaining all legally-required consents or other legally permissible purposes. In addition, where the Family Educational Rights and Privacy Act (FERPA) applies to our Services, we act as a “school official” with “legitimate educational interests” and we rely on our school clients to obtain parental consent, if required. We only use this information to deliver services as directed by those schools. We have detailed our collection and use of the personal information of children below.

What information do we collect?

  • When a student uses or interacts with our Services, the student may provide us with personal information in connection with the following Services: FACTS SIS
  • For more information, please review our “Information We Obtain” section.
  • During a student’s use of our Services, we may collect certain information using various automated technologies, such as cookies, log files, web beacons, and other technologies. For more information, please review our “Automated Information Collection” section. This information includes: IP address, identifiers associated with the Student’s devices, web browser characteristics, device characteristics, language preferences, referring/exit pages, clickstream data and dates and times of visits to our website and Services.

How do we use the information we collect?

  • We may use information we collect from students for the following purposes:
  • To provide our Services;
  • To notify and communicate with the school or parents about a child’s use of our Services;

To whom do we disclose the information?

  • We may disclose information as follows:
  • We may disclose information to third-party companies and individuals to facilitate our Services, provide the Services on our behalf, perform website-related services, assist us in analyzing how our website and Services are used, or perform other services.
  • We may share information with companies that are affiliated with us, such as our direct or indirect subsidiaries or parent or sister companies.
  • We also may share information when you ask or permit us to do so; in response to subpoenas or court orders; when we suspect fraud or criminal activity; to protect our property and rights or those of a third party; to protect the safety of the public or any person; or to prevent or stop activity we may consider to be, or to pose a risk of being, illegal, unethical, or legally actionable.

Parental Choices

Parents can review or have the information collected from their child deleted. Parents may also refuse to permit further collection or use of such information. To do so, please see the “How to Contact Us” section below.

9. Retention of Personal Information

To the extent required by applicable law, we keep the personal information for the period reasonably necessary to achieve the purposes described in our Privacy Policy, plus a reasonable period to comply with the applicable statute of limitations or if otherwise required under applicable law, unless a shorter retention period is required by applicable law.

10. Additional Jurisdiction-Specific Information

If you are a California resident, please refer to our California Consumer Privacy Notice.

If you are located in the European Economic Area (“EEA”), the United Kingdom or Switzerland, visit our EEA/UK/Swiss Privacy Statement.

11. HIPAA Notice

We do not intentionally collect Protected Health Information (“PHI”), as it is not required for the use of our Services. Users should not upload PHI in connection with our Services unless explicitly agreed to in writing. If you are a Vosaic customer, any PHI included in data uploaded in connection with the Vosaic services will be handled in accordance with Amazon Web Service’s HIPAA Compliance Policy. If you believe PHI may have been inadvertently uploaded, please contact us as specified in the How To Contact Us section below.

12. Changes To This Privacy Policy

We may update this Privacy Policy from time to time and without prior notice to you to reflect changes in our privacy practices. We will indicate at the top of the notice when it was most recently updated. The Privacy Policy is effective as of the date listed above and applies to our services that link to this Privacy Policy. These changes or modifications supersede any prior versions of this Privacy Policy.

13. How To Contact Us

If you have any questions about this Privacy Policy, please contact us by email at AskPrivacy@nelnet.net.

Our Role as Processor

Depending on the situation, we may be the “processor” in connection with your privacy request or inquiry. Please see the “Notice to Our Organization Customer End Users” section for more information about what we mean by “processor”. In these situations, we follow the instructions of our organization customers, and they control how your personal information is used. If you have privacy questions or want to exercise your rights regarding data we process on their behalf, you should contact that organization directly. We will support them in responding to your request, but we cannot make decisions about your data without their guidance.

If you’re unsure who to contact, feel free to reach out to us, and we can help direct you to the appropriate party.

@Vosaic
/VosaicInsight
@Vosaic
@Vosaic